Hi Guys , Here is the thing , im trying to use Mac-Auth , I managed to get working using authorized-macs files , although i need to use a mysql table witch i already have with the ssid and mac-address fields and i need to add an operator to expired macs , coz i work at a college campus and students mac-addresses need to expire acording to their course period . Any ideas ? Thanks in advance .
On Jul 7, 2011, at 9:05 PM, Paulo Maia wrote:
Hi Guys , Here is the thing , im trying to use Mac-Auth , I managed to get working using authorized-macs files , although i need to use a mysql table witch i already have with the ssid and mac-address fields and i need to add an operator to expired macs , coz i work at a college campus and students mac-addresses need to expire acording to their course period . Any ideas ? Thanks in advance . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Come on the information is in the wiki, did you even search? http://wiki.freeradius.org/Mac%20Auth#Mac-Auth+authorisation+by+SSID+SQL Assuming you know SQL you shouldn't have any issues. All the policies being called in the example and the extra attributes are now in the default 3.x branch in git, so I suggest you clone that and build from source. -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter
Hi,
Hi Guys , Here is the thing , im trying to use Mac-Auth , I managed to get working using authorized-macs files , although i need to use a mysql table� witch i already have with the ssid and mac-address fields and i need to add an operator to expired macs , coz i work at a college campus and students mac-addresses need to expire acording to their course period . Any ideas ? Thanks in advance .
put MAC address in the radcheck table and set an Expiration. should work a treat 00-11-22-33-44-55 Expiration := "10 Jul 2011" alan
Ok guys thanks . One other question tough .... i have configured radius settings in the switch (c2960g) with aaa-newmodel dot1x port-control auto and the requests are getting to the radius server OK . But it keeps asking for user/pass auth and . Is there a way to authenticate the mac-address without enable 802.1x in the client computer ? On Thu, Jul 7, 2011 at 4:19 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Hi Guys , Here is the thing , im trying to use Mac-Auth , I managed to get working using authorized-macs files , although i need to use a mysql table� witch i already have with the ssid and mac-address fields and i need to add an operator to expired macs , coz i work at a college campus and students mac-addresses need to expire acording to their course period . Any ideas ? Thanks in advance .
put MAC address in the radcheck table and set an Expiration. should work a treat
00-11-22-33-44-55 Expiration := "10 Jul 2011"
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I dont want to enable 802.1x auth in the clients coz i have over 3000 computers and i dont have AD to set a gpo to set in all clients .... But i do have all mac-addresses . I dont know if im going the wrong way here . Thanks , On Thu, Jul 7, 2011 at 5:59 PM, Paulo Maia <phc.maia@gmail.com> wrote:
Ok guys thanks . One other question tough .... i have configured radius settings in the switch (c2960g) with aaa-newmodel dot1x port-control auto and the requests are getting to the radius server OK . But it keeps asking for user/pass auth and . Is there a way to authenticate the mac-address without enable 802.1x in the client computer ?
On Thu, Jul 7, 2011 at 4:19 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk>wrote:
Hi,
Hi Guys , Here is the thing , im trying to use Mac-Auth , I managed to get working using authorized-macs files , although i need to use a mysql table� witch i already have with the ssid and mac-address fields and i need to add an operator to expired macs , coz i work at a college campus and students mac-addresses need to expire acording to their course period . Any ideas ? Thanks in advance .
put MAC address in the radcheck table and set an Expiration. should work a treat
00-11-22-33-44-55 Expiration := "10 Jul 2011"
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm not sure about FreeRADIUS but for this scheme we use server with disable mac learning and static mac table. If you don't have the server support this try to do it in the switches, but static mac table limited to some value less than 3000 I think. If you have several suitable routers and you know that clients don't move between them you could set static mac table to the part of 3000 for every switch. At sum it may be 3000 and may meet static mac table limit requirement. 2011/7/8 Paulo Maia <phc.maia@gmail.com>:
I dont want to enable 802.1x auth in the clients coz i have over 3000 computers and i dont have AD to set a gpo to set in all clients .... But i do have all mac-addresses . I dont know if im going the wrong way here .
Thanks ,
On Thu, Jul 7, 2011 at 5:59 PM, Paulo Maia <phc.maia@gmail.com> wrote:
Ok guys thanks . One other question tough .... i have configured radius settings in the switch (c2960g) with aaa-newmodel dot1x port-control auto and the requests are getting to the radius server OK . But it keeps asking for user/pass auth and . Is there a way to authenticate the mac-address without enable 802.1x in the client computer ?
On Thu, Jul 7, 2011 at 4:19 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Hi Guys , Here is the thing , im trying to use Mac-Auth , I managed to get working using authorized-macs files , although i need to use a mysql table� witch i already have with the ssid and mac-address fields and i need to add an operator to expired macs , coz i work at a college campus and students mac-addresses need to expire acording to their course period . Any ideas ? Thanks in advance .
put MAC address in the radcheck table and set an Expiration. should work a treat
00-11-22-33-44-55 Expiration := "10 Jul 2011"
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best Regards, Shildyakov Alexey Vladimirovich
MAC-Auth has its place, but I agree with some others this isn’t the best fit. MAC spoofing = easy. User gets new NIC or computer = often. “You” don’t need to do anything on the client. How about you set a default VLAN with restrictions, a captive portal of sorts. They don’t need to “login”, but every DNS request lands them on a page that says: You’re not authenticated; you need to follow the directions in this link. Have a how-to with pretty pictures and stuff, I’m sure there are many already on the web. ACL on the default “GUEST” VLAN restricts their IP access as you see fit. Bottom line, users can enable / configure 802.1x supplicant themselves with a little guidance. In the long run you’ll be WAY better off with 802.1x. IMHO. G ________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Paulo Maia Sent: Thursday, July 07, 2011 4:10 PM To: FreeRadius users mailing list Subject: Re: Mac-Auth I dont want to enable 802.1x auth in the clients coz i have over 3000 computers and i dont have AD to set a gpo to set in all clients .... But i do have all mac-addresses . I dont know if im going the wrong way here . Thanks , On Thu, Jul 7, 2011 at 5:59 PM, Paulo Maia <phc.maia@gmail.com<mailto:phc.maia@gmail.com>> wrote: Ok guys thanks . One other question tough .... i have configured radius settings in the switch (c2960g) with aaa-newmodel dot1x port-control auto and the requests are getting to the radius server OK . But it keeps asking for user/pass auth and . Is there a way to authenticate the mac-address without enable 802.1x in the client computer ? On Thu, Jul 7, 2011 at 4:19 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk<mailto:A.L.M.Buxey@lboro.ac.uk>> wrote: Hi,
Hi Guys , Here is the thing , im trying to use Mac-Auth , I managed to get working using authorized-macs files , although i need to use a mysql table� witch i already have with the ssid and mac-address fields and i need to add an operator to expired macs , coz i work at a college campus and students mac-addresses need to expire acording to their course period . Any ideas ? Thanks in advance . put MAC address in the radcheck table and set an Expiration. should work a treat
00-11-22-33-44-55 Expiration := "10 Jul 2011" alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
If I may butt in here… IF you are interested in a FOSS captive portal there is a rather good FOSS NAC called packetfence that can do exactly what Mr. Gatten is saying. It uses FreeRADIUS for its 802.1x authentication and has all kinds of neat features. If your interested drop me a line I can give you more info or go to their website www.packetfence.org. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Thursday, July 07, 2011 5:09 PM To: 'FreeRadius users mailing list' Subject: RE: Mac-Auth MAC-Auth has its place, but I agree with some others this isn’t the best fit. MAC spoofing = easy. User gets new NIC or computer = often. “You” don’t need to do anything on the client. How about you set a default VLAN with restrictions, a captive portal of sorts. They don’t need to “login”, but every DNS request lands them on a page that says: You’re not authenticated; you need to follow the directions in this link. Have a how-to with pretty pictures and stuff, I’m sure there are many already on the web. ACL on the default “GUEST” VLAN restricts their IP access as you see fit. Bottom line, users can enable / configure 802.1x supplicant themselves with a little guidance. In the long run you’ll be WAY better off with 802.1x. IMHO. G ________________________________ From: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] On Behalf Of Paulo Maia Sent: Thursday, July 07, 2011 4:10 PM To: FreeRadius users mailing list Subject: Re: Mac-Auth I dont want to enable 802.1x auth in the clients coz i have over 3000 computers and i dont have AD to set a gpo to set in all clients .... But i do have all mac-addresses . I dont know if im going the wrong way here . Thanks , On Thu, Jul 7, 2011 at 5:59 PM, Paulo Maia <phc.maia@gmail.com<mailto:phc.maia@gmail.com>> wrote: Ok guys thanks . One other question tough .... i have configured radius settings in the switch (c2960g) with aaa-newmodel dot1x port-control auto and the requests are getting to the radius server OK . But it keeps asking for user/pass auth and . Is there a way to authenticate the mac-address without enable 802.1x in the client computer ? On Thu, Jul 7, 2011 at 4:19 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk<mailto:A.L.M.Buxey@lboro.ac.uk>> wrote: Hi,
Hi Guys , Here is the thing , im trying to use Mac-Auth , I managed to get working using authorized-macs files , although i need to use a mysql table� witch i already have with the ssid and mac-address fields and i need to add an operator to expired macs , coz i work at a college campus and students mac-addresses need to expire acording to their course period . Any ideas ? Thanks in advance . put MAC address in the radcheck table and set an Expiration. should work a treat
00-11-22-33-44-55 Expiration := "10 Jul 2011" alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."
Thanks a lot for all your thoughts guys , I`ll take a look at it Jake thanks . On Thu, Jul 7, 2011 at 6:33 PM, Sallee, Stephen (Jake) <Jake.Sallee@umhb.edu
wrote:
If I may butt in here…****
** **
IF you are interested in a FOSS captive portal there is a rather good FOSS NAC called packetfence that can do exactly what Mr. Gatten is saying. It uses FreeRADIUS for its 802.1x authentication and has all kinds of neat features. If your interested drop me a line I can give you more info or go to their website www.packetfence.org.****
** **
Jake Sallee****
Godfather of Bandwidth****
System Engineer****
University of Mary Hardin-Baylor****
900 College St.****
Belton, Texas****
76513****
Fone: 254-295-4658****
Phax: 254-295-4221****
** **
*From:* freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org[mailto: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] *On Behalf Of *Gary Gatten *Sent:* Thursday, July 07, 2011 5:09 PM
*To:* 'FreeRadius users mailing list' *Subject:* RE: Mac-Auth****
** **
MAC-Auth has its place, but I agree with some others this isn’t the best fit. MAC spoofing = easy. User gets new NIC or computer = often.****
** **
“You” don’t need to do anything on the client. How about you set a default VLAN with restrictions, a captive portal of sorts. They don’t *need *to “login”, but every DNS request lands them on a page that says: You’re not authenticated; you need to follow the directions in this link. Have a how-to with pretty pictures and stuff, I’m sure there are many already on the web. ACL on the default “GUEST” VLAN restricts their IP access as you see fit.****
** **
Bottom line, users can enable / configure 802.1x supplicant themselves with a little guidance. In the long run you’ll be WAY better off with 802.1x. IMHO.****
** **
G****
** ** ------------------------------
*From:* freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org[mailto: freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] *On Behalf Of *Paulo Maia *Sent:* Thursday, July 07, 2011 4:10 PM *To:* FreeRadius users mailing list *Subject:* Re: Mac-Auth****
** **
I dont want to enable 802.1x auth in the clients coz i have over 3000 computers and i dont have AD to set a gpo to set in all clients .... But i do have all mac-addresses . I dont know if im going the wrong way here .
Thanks ,****
On Thu, Jul 7, 2011 at 5:59 PM, Paulo Maia <phc.maia@gmail.com> wrote:****
Ok guys thanks . One other question tough .... i have configured radius settings in the switch (c2960g) with aaa-newmodel dot1x port-control auto and the requests are getting to the radius server OK . But it keeps asking for user/pass auth and . Is there a way to authenticate the mac-address without enable 802.1x in the client computer ? ****
** **
On Thu, Jul 7, 2011 at 4:19 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk> wrote:****
Hi,****
Hi Guys , Here is the thing , im trying to use Mac-Auth , I managed to get working using authorized-macs files , although i need to use a mysql table�witch i already have with the ssid and mac-address fields and i need to add an operator to expired macs , coz i work at a college campus and students mac-addresses need to expire acording to their course period . Any ideas ? Thanks in advance .****
put MAC address in the radcheck table and set an Expiration. should work a treat
00-11-22-33-44-55 Expiration := "10 Jul 2011"
alan****
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html****
** **
** **
"This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." ****
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Paulo Maia <phc.maia@gmail.com> wrote:
Here is the thing , im trying to use Mac-Auth , I managed to get working using authorized-macs files , although i need to use a mysql table witch i already have with the ssid and mac-address fields and i need to add an operator to expired macs , coz i work at a college campus and students mac-addresses need to expire acording to their course period.
A far better way is to use 802.1X and get the user to use their username and password to connect. Once their course ends, the account is expired and the student no longer can connect. If you do go down this route, I strongly recommend you hook up locally with the local http://www.eduroam.org/ outfit if that is an option for you. 802.1X (using PEAP) can be now pre-primed on Windows laptops laptops for free so you can just pass out an installer to the students to get themselves connected: https://su1x.swan.ac.uk/ Believe me, collecting and managing MAC addresses is not something I would wish on anyone. Cheers -- Alexander Clouter .sigmonster says: "Ninety percent of baseball is half mental." -- Yogi Berra
On Jul 7, 2011, at 10:19 PM, Alexey Shildyakov wrote:
Believe me, collecting and managing MAC addresses is not something I would wish on anyone.
I don't think so. It's helpful for managing switches to use for on port mac-filtering
And can be done automagically with Mac-Auth - Mac-Auth is a good step between nothing and 802.1X. Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter
participants (7)
-
Alan Buxey -
Alexander Clouter -
Alexey Shildyakov -
Arran Cudbard-Bell -
Gary Gatten -
Paulo Maia -
Sallee, Stephen (Jake)